What Is Claimed Is: 



^ *\ ^ method for providing content-based intrusion detection for a 
-fcbmputer V stem by using an agile kernel-based auditing system, comprising: 
receding an audit specification; 

wherein the audit specification specifies at least one target attribute to be 
recorded from a set of possible target attributes during an auditing process by the 
auditing systenA 

wherein the audit specification also specifies at least one auditing criterion 
that triggers recording of the at least one target attribute during the auditing 
process; 

configuring tHe auditing system to record the at least one target attribute in 
response to detecting me at least one auditing criterion; 

running the auditing system to produce an audit log by recording the at 
least one target attribute i\i response to detecting the at least one auditing criterion; 
and 

examining the auditMog to detect patterns for intrusion detection purposes. 

2. The method of claim 1 , further comprising: 
detecting an event during the auditing process; and 
in response to detecting tke event, dynamically adjusting the auditing 

system during the auditing proces&to change the at least one auditing criterion 
and/or the at least one target attribur^ for subsequent operation of the auditing 
system. 

3. The method of claim 1, wherein the auditing system is configured 
to modify a system call jump table to causV at least one selected system call to 
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3 execute code fhat causes the at least one target attribute to be recorded in response 

4 to detecting theW least one auditing criterion. 



1 4. Thflp method of claim 1 9 wherein the at least one target attribute can 

2 include: 
an argument from a system call; 
a parameter of a process making the system call; 
data read during the system call; 
data written during the system call; 
a parameter of avfile involved in the system call; and 
a parameter relaraig to a network communication involved in the system 



3 
4 
5 
6 
7 
8 

9 call 



1 5. The method 6f claim 1 , wherein configuring the auditing system to 

2 record the at least one target attribute involves: 

3 compiling the audit specification to produce a kernel module; 

4 loading the kernel modul£ into a kernel of an operating system of the 

5 computer system; and 

6 linking code from within th^ kernel module into system calls within the 

7 operating system. 



1 6. The method of claim 1 9 ^herein the at least one auditing criterion 

2 can include: 

3 a user identifier for a process that k making a system call; 

4 an identifier for an application pro-am from which the system call is 

5 being made; and 

6 an identifier for a file being accessed 6y the system call. 
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1 7. The method of claim 1 , wherein producing the audit log involves 

2 filtering the at least oi^e target attribute to reduce an amount of data stored in the 

3 audit log. 



1 8. The method of claim 1 , wherein producing the audit log involves: 

2 determining at least one characteristic of the at least one target attribute; 

3 and \ 

~ 1 9. The method o^claim 1 , wherein the audit specification is received 

HI 2 from one of: 

hj 3 a user of the auditing system; and 

jj; 4 an intrusion detection mechanism. 

p 1 1 0. A computer-readable, storage medium storing instructions that 

j\ 2 when executed by a computer cause me computer to perform a method for 

3 providing content-based intrusion detection for a computer system by using an 

p 4 agile kernel-based auditing system, the ljnethod comprising: 

5 receiving an audit specification; 

6 wherein the audit specification specifies at least one target attribute to be 

7 recorded from a set of possible target attributes during an auditing process by the 

8 auditing system; \ 

9 wherein the audit specification also specifies at least one auditing criterion 

10 that triggers recording of the at least one targetWtribute during the auditing 

1 1 process; 




14 

Attorney Docket No. NAOO-0240 1 Inventor: Ko 

ARPC:\MY DOCUMENTSVNETWORK ASSOCIATES\NA00-02401\NA00-02401 APPLICATION.DOC 



1 I 



12 configuring the auditing system to record the at least one target attribute in 

13 response to detecting the at least one auditing criterion in response to detecting the 

14 at least one auditing criterion; 

1 5 running the auditing system to produce an audit log by recording the at 

16 least one target attribute; and 

1 7 examining the audit log to detect patterns for intrusion detection purposes. 



1 11. The computer-readable storage medium of claim 1 0 5 wherein the 

2 method further comprises: 

3 detecting an event during the auditing process; and 

4 in response to detecting the event, dynamically adjusting the auditing 

5 system during the auditing process to change the at least one auditing criterion 

6 and/or the at least one target attribute for subsequent operation of the auditing 

7 system. 



1 12. The computer-readable storage medium of claim 10, wherein the 

2 auditing system is configured \^ modify a system call jump table to cause at least 

3 one selected system call to execute code that causes the at least one target attribute 

4 to be recorded in response to detecting the at least one auditing criterion. 



1 13. The computer-readable storage medium of claim 1 0, wherein the at 

2 least one target attribute can includeA 

3 an argument from a system calfj 

4 a parameter of a process making^he system call; 

5 data read during the system call; 

6 data written during the system call; 1 

7 a parameter of a file involved in the system call; and 
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8 a parameter relating to a network communication involved in the system 



9 call. 



1 14. The computer-readable storage medium of claim 10, wherein 

2 configuring the auditing system to record the at least one target attribute involves: 

3 compiling^the audit specification to produce a kernel module; 

4 loading theikernel module into a kernel of an operating system of the 



5 computer system; and 

^Vrc 



6 linking code from within the kernel module into system calls within the 

7 operating system. 



?! 1 15. The computer-readable storage medium of claim 1 0, wherein the at 



2 least one auditing criterion can include; 

y \ 

fy 3 a user identifier for a process that is making a system call; 

£3 ' 

n 4 an identifier for an\ application program from which the system call is 



5 being made; and ^ 

6 an identifier for a fife being accessed by the system call. 

1 16. The computer^readable storage medium of claim 1 0 5 wherein 

2 producing the audit log involves filtering the at least one target attribute to reduce 

3 an amount of data stored in the\iudit log. 



1 17. The computer-readable storage medium of claim 10, wherein 

2 producing the audit log involves: ^ 

3 determining at least one characteristic of the at least one target attribute; 

4 and ^ 
recording the at least one characteristic in the audit log. 
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1 18. The computer-readable storage medium of claim 10, wherein the 

2 audit specification is received from one of: 

3 a user of the ^auditing system; and 

4 an intrusion detection mechanism. 



1 19. A apparatus for providing content-based intrusion detection for a 

2 computer system by using an agile kernel-based auditing mechanism, comprising: 

3 an auditing mechanism that is configured to audit system calls; 

4 a receiving mech^iism that is configured to receive an audit specification; 

5 wherein the audit specification specifies at least one target attribute to be 

6 recorded from a set of possible target attributes during an auditing process by the 

7 auditing mechanism; \ 

8 wherein the audit specification also specifies at least one auditing criterion 

9 that triggers recording of the at\least one target attribute during the auditing 

10 process; 

1 1 an initialization mechanism that configures the auditing mechanism to 

12 record the at least one target attribute in response to detecting the at least one 

1 3 auditing criterion; 

14 wherein the auditing mechanism is configured to produce an audit log by 

1 5 recording the at least one target attribute in response to detecting the at least one 

1 6 auditing criterion; and 

1 7 an intrusion detection mechanJsm that is configured to examine the audit 

1 8 log to detect patterns for intrusion detection purposes. 



1 20. The apparatus of claim 1^ wherein the initialization mechanism is 

2 further configured to: 
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detect an ev^nt dining the auditing process; and 

in response to detecting the event, to dynamically adjust the auditing 
mechanism during the auditing process to change the at least one auditing 
criterion and/or the atlleast one target attribute for subsequent operation of the 
auditing mechanism. \ 

21. The apparatus of claim 19, wherein the auditing mechanism is 
configured to modify a system call jump table to cause at least one selected 
system call to execute code that causes the at least one target attribute to be 
recorded in response to detecting the at least one auditing criterion. 

22. The apparatus of claim 19, wherein the at least one target attribute 
can include: \ 

an argument from a system call; 

a parameter of a process making the system call; 

data read during the system call; 

data written during the system call; 

a parameter of a file involved in the system call; and 

a parameter relating to a network communication involved in the system 



23. The apparatus of claim\19, wherein the auditing mechanism is 
configured to: \ 

compile the audit specification to produce a kernel module; 

load the kernel module into a kernel of an operating system of the 
computer system; and to \ 



call. 
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link code fropi within the kernel module into system calls within the 
operating system. 

24. The apparatus of claim 19, wherein the at least one auditing 
criterion can include: 

a user identifier for a process that is making a system call; 

an identifier for an application program from which the system call is 
being made; and \ 

an identifier for a file being accessed by the system call. 



25. The apparatus of claim 19, wherein the auditing mechanism is 
configured to produce the audit log by filtering the at least one target attribute to 
reduce an amount of data stored in the audit log. 



26. The apparatuslof claim 19, wherein the auditing mechanism is 
configured to produce the audit log by: 

determining at least oi^p characteristic of the at least one target attribute; 

and 

recording the at least orib characteristic in the audit log. 

27. The apparatus o^laim 19, wherein the audit specification is 
received from one of: 

a user of the auditing mecHanism; and 
the intrusion detection mechanism. 
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